3 Answers
3

In a X.509 certificate, the name of the issuer (in your example, A's name) is also included (as issuerDN). Also, a certificate can contain an extension which points to a place where the issuer's certificate can be downloaded (the "Authority Information Access", section 4.2.2.1 of RFC 5280); note that since all certificates are signed entities which are accepted and use only after having verified these signatures, they can be downloaded and transported with little care. Finally, it is customary, in protocols where a party can show a certificate, to actually show a list of certificates containing needed intermediate CA certificates. This is what happens, for instance, in an SSL Certificate message.

All this gives a lot of ways for a computer to do certification path building, i.e. reconstructing chains of certificate on which validation (including verifying cryptographic signatures) seems relevant.

When the CA issues the certificate, they sign it using their private key. Only the CA's public key can verify that the signature is authentic and the certificate has not been tampered with.

What is odd is that the signature property seems to be missing in a lot of instances (.NET's X509Certificate class and when viewing a certificate in Windows). I've found that even though it is not always displayed, it is still inside the certificate. Given a certificate in DER binary format, you can decode it into plain text which DOES show the signer's signature.

To validate this certificate, one needs a second certificate that
matches the Issuer (Thawte Server CA) of the first certificate. First,
one verifies that the second certificate is of a CA kind; that is,
that it can be used to issue other certificates. This is done by
inspecting a value of the CA attribute in the X509v3 extension
section. Then the RSA public key from the CA certificate is used to
decode the signature on the first certificate to obtain a MD5 hash,
which must match an actual MD5 hash computed over the rest of the
certificate.

This question is language-agnostic. When people say 'ssl certificate'
or just 'certificate' they are usually referring to an x509
certificate, en.wikipedia.org/wiki/X.509"

Very well. In that case, then, let me clear up a few misconceptions you seem to have.

From your original post:

I've found that given a certificate in any format (say DER), you can
convert it back to its original text form which DOES contain the
signer's signature.

The output of openssl asn1parse isn't the "original text" by any means. It's just a human readable version of the DER (which itself is a base64 decoded PEM).

An X.509 certificate must contain the "signers signature". If it didn't it wouldn't be an X.509 certificate. Whether or not .NET's X509Certificate class outputs the "signers signature" is another matter. And in lieu of knowing what it does output I can't really comment on that.

What is odd is that the signature property seems to be missing in a
lot of instances (.NET's X509Certificate class and when viewing a
certificate in Windows).

To recap... the "signature property" is always present. The human readable version of the X.509 certificate .NET's X509Certificate class gives you may not include it but that does not mean the DER doesn't have it. It does.

welcome to Information Security. Answers are only supposed to be used to answer the question, not to start a debate or respond to other comments or answers. Please see the FAQ, and How to Answer. Thanks!
–
AviD♦Oct 2 '12 at 12:17

How was I starting a debate? Despertar does have misconceptions. Bruno corrected some of them. I attempted to correct some as well. Despertar questioned the relevancy of my question and I explained why it was relevant. Well I suppose "questioned" isn't the right word. He was more like "this is not relevant" as a matter of fact. Which is pretty consistent with his whole posting style. He's like "I've found [this]" and "What is odd is [that]". The only time he ever asks a question is his first post and all subsequent posts are more like "this is how it is" even though that isn't how it is.
–
ansurOct 2 '12 at 14:18

@ansur Our format isn't that of a forum. Your "answer" doesn't really perform the job of explaining how a certificate signer is verified.
–
Jeff Ferland♦Oct 2 '12 at 18:22

Neither does Bruno's "answer". He simply corrects a misconception as I do. I suppose technically he did a comment but (1) my post was too long for a comment and (2) I don't have a ton of points. I don't think I even had the ability to do comments until after I did my first post idk.
–
ansurOct 3 '12 at 20:19